This is a non-provisional patent application.
1. Field of the Invention
The present invention relates generally to protecting digital information from mass, free distribution while allowing an authorized user to utilize said information on a variety of devices.
2. Background
The term “Digital Rights Management” (DRM) encompasses the management of legal rights for business and commercial purposes, including tracking those rights, rightsholders, licenses, sales, agents, royalties and their associated terms and conditions, in the digital age. Some definitions follow.
Rights are the privileges, to which one is justly entitled, to perform some action involving the intellectual property of some entity.
A Content Owner is a legal entity that owns the rights in some intellectual property by virtue of a copyright, trademark, patent and so on. These rightsholders may enter into legal arrangements whereby they either sell or license those rights or subset of rights to another party.
A User/Licensee is the legal entity that has licensed rights for some type of content.
A Rights Transaction includes the act of legally transferring rights from one entity to another.
An Agent is a legal entity that has been granted authority by a Content Owner to perform rights transactions with other parties in the interests of the rightsholder.
Royalties are the monetary compensation paid to a Content Owner associated with a rights transaction.
Utility Rights allow the necessary functionality to maintain the user's collection of digital content files and their associated rights files (e.g., the right to backup and restore content files to the original device;. data integrity rights, which permit the creation of error correcting/detecting codes and checksums; and caching rights to duplicate the content on many servers for the performance of their distribution process).
Prior to the wide spread popularity of the Internet, content was physically distributed and therefore carried a set of implicit rights. A customer could purchase an album from the record store, which obtained consideration, for album rights owners, in the form of the customer's money.
Rights models require more information than just the type of rights that have been granted to a user for a particular instance of content. For each right granted, there are express limitations, qualifications and/or compensation for the use of those rights.
Attributes
The consideration attribute declares the necessary compensation required in return for utilizing the associated right. Typically the consideration is monetary, but could also take any other form relevant to the content owner. For example, the user may be required to provide relevant demographics or participate in a survey.
The extent of the right declares information such as how many times, for how long, during what periods or in what locations the right is valid. For example, a user might have purchased the right to play a video five times, or all weekend, or is only permitted to view a sampling of the video. In another example, a user of an e-book article might have the right to view the content unlimited times, but can only print the content twice.
Another major attribute category is the type of user attribute, which provides the ability to group rights into different categories and grant those sets of rights to different users based on their user type. A user authenticated as a valid agent might have the “copy” right of a movie, while another user only has the “view” right.
Business Models
Paid Downloads
The paid download model was the original DRM business model. Customers could enter a provider's website, shop for content, enter their credit card and, after validation, download their requested content. This interaction model is similar to the business model where the consumer enters a store and immediately pays for some item. DRM systems can enforce the rights purchased by the consumer once the content is resident on the consumer's device. Often, however, purchasing the content is too complex for consumers. Also, many consumers do not want to be tethered to their PC while viewing or playing content.
Subscriptions
In the subscription model, the consumer creates an account on the provider's website and typically picks a specific price plan. The plans offered by the provider allow the consumer to acquire a given set of rights for a predetermined period of time for content offered through the provider's website. The DRM system on the client enforces the rights allowed by the subscription that the consumer has purchased. A subscription might allow a certain number of plays under the flat fee subscription. If the user exceeds their limit, the additional accesses are rated on a per-usage basis.
Pay-per-access
The pay-per-access business model has two forms: pay-per-view and pay-per-listen. None, of the current set of DRM solutions, offer the processing micropayments.
Superdistribution
Superdistribution allows the rights associated with content to be passed along to additional users while still honoring the considerations associated with the rights.
The physical distribution, of content and the associated rights, has two fundamental models. In one case, the rights and content are conjoined entities and cannot be separated. As conjoined entities, these distributions are packaged and valid only for each individual device that purchases the content. The second fundamental model of distribution separates the rights and content into their respective parts. The rights are packaged into a file termed the license document.
The rights associated with content in a superdistribution model must specify what a consumer can do with the content after they have bought those rights, including the set of rights that may be passed along to the next user along with any additional limitations and considerations.
Referring to FIG. 1, most production DRM systems (100) follow the architectural pattern which supports the separate distribution of the rights document (162). The architecture comprises: the content server (120), the license server (160) and the client device (140). Each of these components collaborates with each other to complete the DRM (100) implementation.
The content server (120) has the responsibility of making this digital content (142) available for download to devices (140) participating in the DRM arrangement. The content server (120) also has the responsibility of cataloging the available content and providing some type of registry that allows potential consumers to navigate a list of available content for download. The registry might contain descriptions of the content as well as marketing information. The content server is preferably locatable so the client can obtain the package content in the first place. The final responsibility of the content server (120) is to create a set of rights documents (162) that the rightsholder will grant to users of the content (142). These rights documents (162) might also contain the compensation metadata associated with the various rights. The content server (120) may update the rights documents (162) that are to be offered to clients, as well as change the encryption information for a piece of content.
The license server's (160) primary responsibility is to package the appropriate rights document (162) with the appropriate decryption key for the requested content (142), and provide that packaged license to the client device. In order to authenticate clients, the license server (160) may also process encryption key(s) and certificate(s) presented by the client device (140). The license server (160) may also collaborate with the content server (120) to obtain updates about new and existing registered content.
The client device (140) has the responsibilities of authenticating the current device user, acquiring content, requesting licenses from the license server (160) and finally adhering to the policies of the rights document (162). The client device (140) may also create a local repository (148) of existing licenses that have been acquired in the past which a DRM controller may access after the user has been authenticated. Once all of the DRM functionality has been taken care of, the client device (140) can also render the content. A DRM controller (146) performs its authorization of the requested rights, and, if successful, decrypts the restricted content so that the rendering application (144) can access the content (142). If the rights have expired or the license document was not found in the local repository (148), the DRM Controller (146) can then collaborate with the license server (160) to acquire a new rights document (162).
Identifiers
It is preferable that all DRM systems have the capability to uniquely identify a piece of content. One promising standard in this area is the Digital Object Identifier (DOI). The DOI standard stems from the Association of American Publishers (AAP) work on their online copyright management initiative. A DOI is analogous to a web Uniform Resource Locator (URL) using a Domain Name Server (DNS) to resolve the true Internet Protocol (IP) address of the resource.
Language
The second important standards area relevant to the invention governs the rights document structure. One of the most complete standards for expressing rights within an XML document is the Extensible Rights Markup Language (XrML) standard. The current release of the specification is XrML 2.0. XrML defines two security concepts: issuer and trusted Principal. These allow the definition of licenses that specify the right to issue other licenses.
Digital Property Rights Language (DPRL) also focuses on the concept of trusted systems, which can render content according to a precise definition.
Security
The main objective of incorporating cryptography in a DRM solution is to prevent the content from being accessed outside the control of the DRM solution. When the key value used to encrypt and decrypt the data is the same value, a symmetric key algorithm is being used. DES, Triple DES, RC4, RC5 and RC6 are common symmetric algorithms. In the asymmetric encryption model, two different keys (public and private) are used to perform the encryption process. In order to determine the authenticity of the origins of a public key, a Certificate and Certificate Authority come into play. A certificate encapsulates the public key and some description information about the sender. A certificate authority is a well known entity such as the RSA security company. Certificates can be chained together to form a linked list of trust.
Other security measures include message digests, digital signatures, smart cards and code obfuscation.
Trusted Environment
The computing industry has awakened to the need of a distributed computing environment where software providers can be assured that their software will not be altered, examined or spoofed by other software and hardware components. Industry consortiums, such as the Trusted Computing Platform Alliance (TCPA), and individual hardware manufactures, such as IBM and Texas Instruments, are currently delivering specifications, chips and peripherals that support this type of trusted environment.